How Facebook Responded To Tunisian Hacks 227
jamie writes "Facebook's security team opens up, shedding light on a revolution that could become a parable for Internet activism. Quoting: 'After more than ten days of intensive investigation and study, Facebook's security team realized something very, very bad was going on. The country's Internet service providers were running a malicious piece of code that was recording users' login information when they went to sites like Facebook. By January 5, it was clear that an entire country's worth of passwords were in the process of being stolen right in the midst of the greatest political upheaval in two decades. Sullivan and his team decided they needed a country-level solution — and fast. Though Sullivan said Facebook has encountered a wide variety of security problems and been involved in various political situations, they'd never seen anything like what was happening in Tunisia.'"
Duh (Score:2)
Re:Duh (Score:5, Informative)
I believe the ISP changed the facebook login page to execute additional javascript to grab the entered password before it was sent off, encrypted, to the fb server. But then again I didn't RTFA...
Re:Duh (Score:5, Insightful)
Https as commonly employed isn't enough (Score:3)
Re:Https as commonly employed isn't enough (Score:5, Insightful)
In theory, only one end needs to authenticate the other.
In practice, the website depends on the client to do a good job of this. So if you're running MS Windows, the Tunisan government can put a trusted root certificate in your computer with the endorsement of Microsoft. So even running https everywhere will not save Facebook from Microsoft.
Try it yourself. If you have access to a Windows machine, visit http://bit.ly/eWYRbA [bit.ly] in IE then check your personal cert store for Agence Nationale de Certification Electronique.
If you think this is a big deal, retweet it [twitter.com] or spread the word in other ways. I'm at a loss to explain why people aren't realizing the magnitude of this.
Of course, what's even better is that it's a CODE SIGNING cert. ;-) Now that's what I call pwned!
Re:Https as commonly employed isn't enough (Score:5, Informative)
This page has a nice writeup of the problem [proper.com] and mentions that Vista or higher behave differently (not really better, just differently).
Re: (Score:3)
No, only one party needs a certificate (call them party S for server). The other party (C for client) picks a random symmetric key and encrypts it to the public key of S. S decrypts it and the two ends can exchange data.
This is a (greatly oversimplified) overview of how SSL usually works, without client certificates. The CA is necessary because the client doesn't know the server's cert in advance. It does have the limitation that S cannot prove the absence of a man-in-the-middle, but C can. In practice, S
Re: (Score:2)
Re: (Score:2)
Well, large services such as Facebook could in theory simply issue their own client certs which are self-signed. It is more of an issue of it being a customer service issue than anything else.
Re: (Score:3, Interesting)
Meaning the calls to always use https actually make sense.
Indeed. Most (all?) those online services, whether it be yahoo, facebook or myspace have their login box accessible from their main (non https) page. Even though login itself may be encrypted, the user is not supposed to enter the https himself, but he is instead redirected to a https page once he clicks login.
It's scary how easy this is (I once did it for a friend w
Re: (Score:2)
Sullivan's team rapidly coded a two-step response to the problem. First, all Tunisian requests for Facebook were routed to an https server. The Https protocol encrypts the information you send across it, so it's not susceptible to the keylogging strategy employed by the Tunisian ISPs.
Https would still be suceptible to keylogging. I won't detail how the attack would be laid out (wouldn't want to inspire potential attackers ;) ), but https won't protect from a keylogging javascript being attached to the login page by an ISP. Do your research on MIM attacks if anyone wants to find out.
So, either the solution won't work, or the attack wasn't as cleverly implemented.
And let me say which one it is
Re: (Score:2)
https won't protect from a keylogging javascript being attached to the login page by an ISP.
It would protect if there was no http login page. You have to get the javascript installed before you launch https because you can't get it installed later.
With most browsers, simply having the http page remap to the https page leaves the keylogger free to continue to run. But if you start your session with https you are reasonably safe from key loggers done in javascript.
Re: (Score:2)
Re: (Score:2)
Re:Duh (Score:4, Funny)
Add the character "2" at the end of all current passwords?
Re:Duh (Score:4, Interesting)
Anyone who logged in during the period of time where passwords were being captured was presented with photos and asked to pick the ones featuring their friends. Then they were asked to choose a new password.
Re: (Score:2)
The good news is that the answer to your question is spelled out explicitly in TFA...
Re: (Score:2)
If you RTFA, they required people to identify pictures of their friends to prove they were the real account holder.
Re:Duh (Score:4, Insightful)
As bad as every other site that doesn't require https:// for login.
Re: (Score:2)
I do not know the ins and outs of internet routing well enough to understand this, but I was alarmed by it. Does anyone with more technical expertise in the area have any insight?
Re: (Score:2)
Re: (Score:2)
Agreed, but this part of the article had me intrigued:
I do not know the ins and outs of internet routing well enough to understand this, but I was alarmed by it. Does anyone with more technical expertise in the area have any insight?
I think it's simple: Facebook allows HTTP logins, but defaults to HTTPS. The ISP could respond to the initial HTTPS request with a redirect to the regular HTTP version.
Re:Duh (Score:4, Interesting)
The ISP can run a proxy which pretends to be the user from the point of view of facebook and pretends to be facebook from the point of view of the user. It can run an https connection to facebook and forward it to the user as a plain http connection. That way it can record or change anything in the facebook session and the user probably won't be aware that the proxy is there.
The proxy could also run an https connection between the proxy and the user but that is more difficult because encryption software in the browser would alert the user that the proxy is not facebook. However if the browser has been fiddled with its game over for the user on many levels. Lots of people in the third world access the internet from internet cafes. One place I used in Malaysia has a single windows image which is booted across the LAN when a workstation is started. If the Government got their own software on to the server with that image, or changed the template for all the internet cafes then it would be impossible to guarantee security.
Re: (Score:2)
It can if you load a rogue root CA, and sign your OWN certificate for a MITM to facebook.com
Re:Duh (Score:5, Informative)
Or just find a CA that is either sympathetic to your cause or subject to your coercion.
read and weep [mozilla.org]. A list this long and spread through so many different countries is not the way to run a tight ship security wise.
Re: (Score:3)
Agreed, but this part of the article had me intrigued:
I do not know the ins and outs of internet routing well enough to understand this, but I was alarmed by it. Does anyone with more technical expertise in the area have any insight?
Not like I've RTFA or anything, or even an expert, but my guess is simply the issue of- facebook _allows_ http logins, so all a nefarious government/network need do is break https for the site. I.e. the solution is to not have an unencrypted option, such that if a gov/net breaks https, instead of falling back to an insecure login, people get pissed that they can't use the site at all, and thus it becomes a high profile news story, etc.
Re: (Score:2)
The conncection from home computer to ISP proxy server is by http. The connction from ISP proxy server to Facebook is by https. The proxy server can then modify the page before sending it unsecured to the home computer.
SSL Strip (Score:3)
Agreed, but this part of the article had me intrigued:
I do not know the ins and outs of internet routing well enough to understand this, but I was alarmed by it. Does anyone with more technical expertise in the area have any insight?
It's called SSL Stripping... It's an old issue, but a recent tool has made it a bit more mainstream. There's a presentation here: http://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-SLIDES.pdf [blackhat.com]. And a tool here: http://www.thoughtcrime.org/software/sslstrip/ [thoughtcrime.org]
The slides are worth looking through. At the root it's a very simple concept: people do not type https into the browser, they usually get to https through a redirect from http. A MiTM can tamper with that and conti
Re: (Score:3)
The attack may have been a little more sophisticated. Most pages are loaded over a non-encrypted connection. Just the pasword may be sent over an https connection. However, the use of unencrypted pages for everything else allows man in the middle attacks that insert a javascript keylogger into the reply that logs keystrokes directly from the source PC, not from packets as they cross the
Re: (Score:2)
How badly does Facebook's password encryption suck if a man-in-the-middle attack can easily steal everybody's password?
How exactly was Facebook supposed to encrypt the users' passwords before receiving them? If you know how to do this then I'll write you a check right now.
Re: (Score:2)
I think I can help a little here. If you aren't using https for logins, then you can do some password hashing tricks to make things much more secure. I developed a similar solution for this at my last job. I checked some other sites to see if they used it when I developed my solution and found that yahoo email did pretty much exactly the same thing when they were using http (non-secure) logins.
Basically the idea is something like this:
*) Server sends a random long string along with form. This string has a t
Re: (Score:2)
Re: (Score:2)
Good point. The solution I mentioned only works when ISP or middleman isn't injecting things. Sorry about the unnecessary reply.
Re: (Score:2)
This solution only works against listeners, not injectors. So it provides a defense for those cases. It is not any less secure, but I admit to it being useless in this case where they probably were doing injection. (Didn't read article, probably should've.)
Re: (Score:2)
I'm sorry, obviously you have nevver heard of HTTPS. You are a moron, perhaps?
HTTPS relates to the connection between the users and Facebook. It has nothing to do with the way Facebook encrypts the passwords themselves, which is what I was pointing out.
Re: (Score:2)
Obviously you've never heard of a MITM attack [wikipedia.org]. HTTPS is vulnerable to it.
It *is* possible to encrypt the password for real before the password gets passed to the server, by means of using some javascript with a one-way encryption (think pgp) and a public key, but that would require disclosing the public key as well as the encryption algorithm being used, which isn't very good mojo.
Re:Duh (Score:4, Insightful)
It *is* possible to encrypt the password for real before the password gets passed to the server, by means of using some javascript with a one-way encryption (think pgp) and a public key, but that would require disclosing the public key as well as the encryption algorithm being used, which isn't very good mojo.
WTF? There's nothing wrong with disclosing the public key (hint: it's right there in the name. You can encrypt with the public key, publish the key on websites, in newspapers, hell broadcast it on national radio - it doesn't matter. That's the point. Just don't publish the private key.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Good evening Mr By I represent the Government of Tunisia. A new future awaits you as an employee of the fastest growing security establishment in Africa...
Re: (Score:2)
Facebook doesnt use an SSL login page.... It was totally unencrypted.
Re: (Score:2)
Log out of facebook and go here:
http://www.facebook.com/index.php [facebook.com] The login page is not secure by default (though you can manually type https if you want). Unless you explicitly tell facebook to be HTTPS, it won't be. How many users do you know who would do that? I can't think of a single one....
An ISP could easily inject a javascript keylogger into this page. It would be downright trivial.
Re: (Score:2)
Require HTTPS for all connections... (Score:5, Insightful)
Re:Require HTTPS for all connections... (Score:5, Insightful)
I'd say baffling is more appropriate...as huge as the website is, and with as much personal information being slung around, you'd think they would make it ONLY https at this point...
Re: (Score:2)
Re:Require HTTPS for all connections... (Score:4, Insightful)
Awesome! HTTPS actually makes the application less annoying?!?!
Re: (Score:2)
So some websites (still?) send login and password info as cleartext?
Why do we enable incompetent people to get rich?
Re: (Score:2)
My only guess is that someone in IT sniffed some passwords, or else active directory (or whatever windows us
Re: (Score:2)
Precisely. This attack should have been impossible.
Re: (Score:2)
Except that all the interceptor need do is force an HTTP connection to themselves, then make the HTTPS connection outbound. How many people would actually check for an HTTPS connection before logging in to Facebook?
Every tunisian naked pics is leaked (Score:2)
Bandwidth isn't free (Score:2)
As big a fan as I am of HTTPS, it's not only slower than HTTP for the end user, but costs a bunch more in bandwidth and compute (cacheing problems).
I'd say only HTTP is also more along the lines of Zuckerberg's infamous opinion [theregister.co.uk] of his users... in his view they get what they deserve.
Re: (Score:2)
That's the theory anyway. Turns out users are dumb; the put important info on public sites that they don't want anyone to see, they use the same password for multiple sites, they have auto login, etc. So it does make sense to have https, in hindsight. So all the fluff sites should beef things up.
Re: (Score:2)
Sadly, https://www.facebook.com/ [facebook.com] does work, but you have to force it... and continue to force it because each request sent over https generates a response as http.
Re: (Score:2)
Could a greasemonkey script be written to update all links to HTTPS?
Re: (Score:3)
Erm, embarassing moment... someone already has [userscripts.org].
Re: (Score:2)
Could a greasemonkey script be written to update all links to HTTPS?
Ask and you shall receive: HTTPS Everywhere [eff.org] is a Firefox plugin that forces HTTPS not only on Facebook, but Google and numerous other sites, with the ability to configure still more.
Kudos to facebook (Score:5, Insightful)
Re: (Score:3)
When they prevent HTTP login and switch to HTTPs, they'll have done something right. This is just PR. Their shitty security allowed this in the first place.
No Kudos to facebook (Score:3)
Yes, https increases CPU and bandwidth, but if you also include the benefits: reduction in staff, support, bandwidth, cpu, etc currently wasted trying to fix the resulting stolen/hijacked accounts, it would come out ahead, probabl
Re: (Score:2)
The Chinese Intelligence Agency?
Re: (Score:2)
The Chinese Intelligence Agency?
You fucked that up. "Chinese Intelligence in America" was the Simpsons joke.
Re: (Score:2)
D'oh!
so who's to blame for this one? (Score:2)
makes you wonder why a country is able to steal it's Facebook user's passwords.
Re: (Score:2)
It was very easy... Rtfa
Wake up call (Score:2)
HTTPS (Score:5, Insightful)
Article Summary: They switched facebook to use https in Tunisia.
I wish facebook would consider just switching all traffic to https.
Re: (Score:2)
+1. I know FB would rake in the bucks if they offered a premium service that had https by default, no ads, and the ability to use a VASCO or SecurID keyfob (with OATH certification when logging from PCs, and for non-PCs, the FB app has the ability to set a PIN.)
I'd pay the usual $20 a year for this easily, mainly because FB is a good tool for keeping track of band and other events going on locally.
Re: (Score:2)
Re:HTTPS (Score:4, Insightful)
Wow $20 a year? You and five other people. They rake in more than that in ad revenue from each "prime" user. Also most people just don't care enough to pay for this service.
What I find amazing is not that Facebook isn't secure but people expect it to be. This is a place where you "publish" information on the internet. It is not now and never should have been considered a secure communication channel.
Why doesn't facebook default to https [slashdot.org]:? My guess is cost. It takes resources to encrypt data and for face book moving everything to https probably would cost a few million dollars in resources.
And nothing stops you from using https://facebook.com/ [facebook.com] does it?
Re: (Score:2)
What I find amazing is not that Facebook isn't secure but people expect it to be. This is a place where you "publish" information on the internet. It is not now and never should have been considered a secure communication channel.
I deleted my facebook acct about a year ago, so excuse my terminology.
Imagine the scenario of a profile picture being changed to goatse.
You are correct that it is "published" to the internet and is not secret-secure.
Where you are wrong, is thinking that it is authorized-secure.
Much like this post was written by VLM. Or, was it? As if you'd know...
Re: (Score:2)
It would be at most annoying but not harmful. The people that know me would think that someone else did it. AKA that I was hacked. The risk to benifit ratio of me being on facebook is worth it time. I get to see when friends are expecting babies, get married, and or get new jobs. I guess if someone really wanted to make the effort they could hack my account but as I said it would be mildly annoying and not much else.
Big deal. But you deleted your profile so I guess you realize that facebook isn't secure or
Re:HTTPS (Score:4, Informative)
If you go to https://facebook.com/ [facebook.com] you do view an encrypted home page. But all of the links to everything are just non-encrypted http. Unless you copy each link, paste it into the address bar, and prepend 'https://' to it (or write a browser script to do the same) then most of your facebook session will not be secured.
Re: (Score:2)
The ISP could still proxy the connection though. Proxy to FB and Proxy to client would still be encrypted but the proxy would get the username and password. The client may have to click through a warning about a mismatched certificate but I reckon most would.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
True but say the user in Tunisia is using IE from Windows. Maybe the government looks the other way when people steal the version of windows with the "right" binaries. Or he's running firefox but Tunisia has a special localised version which you automatically get when you download it from one of their ISPs.
Re: (Score:2)
The ISP could still proxy the connection though. Proxy to FB and Proxy to client would still be encrypted but the proxy would get the username and password. The client may have to click through a warning about a mismatched certificate but I reckon most would.
Probably not even necessary. How hard would it be for the Tunisian government to get a CA in Tunisia to sign a fake Facebook cert? Then there'd be no warnings at all. I mean SSL only works if you trust every CA whose root cert is in your browser, and really, why the hell should anyone do that?
Re: (Score:2)
The ISP could still proxy the connection though. Proxy to FB and Proxy to client would still be encrypted but the proxy would get the username and password. The client may have to click through a warning about a mismatched certificate but I reckon most would.
Probably not even necessary. How hard would it be for the Tunisian government to get a CA in Tunisia to sign a fake Facebook cert? Then there'd be no warnings at all. I mean SSL only works if you trust every CA whose root cert is in your browser, and really, why the hell should anyone do that?
Yes.
Re: (Score:2)
I wish facebook would consider just switching all traffic to https.
Because typing in the "s" would confuse the majority of the userbase.
Re:HTTPS (Score:5, Informative)
Hardware costs would soar if they switched entirely to HTTPS. There is an entire industry making crypto co-processors to handle the load that millions of concurrent HTTPS connections place on an infrastructure.
SSL accelerators are useful for offloading the CPU-heavy part of the SSL transaction: the RSA key-exchange part. The rest of the secured connection is quite light, particularly when using a fast cipher like RC4. The RSA part can be sped up by using shorter keys (e.g. a 1024-bit key, rather than 2048 or 4096-bits), while still providing modest security (anything is better than nothing).
That this guy [imperialviolet.org], a Google employee, said the following about SSL:
In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.
If you stop reading now you only need to remember one thing: SSL/TLS is not computationally expensive any more.
Pay Up (Score:5, Insightful)
Light on details (Score:3, Insightful)
The article is a little light on details, but am I right in thinking that people's session cookies were being sidejacked? AFAIK, despite FB not sending everything over https, the password is sent over https. So I don't see how a keylogger like approach would work to intercept the pw, unless the Tunisian government was smart enough to run something like Moxie Marlinspike's sslstrip where they did a MITM attack and sent unencrypted http traffic to the user and then stole their password. I doubt this was the case because a) they don't seem smart enough and b) no security measure would circumvent this unless people knew not to log in over http.
So now we just wait until the government uses sslstrip...
P.S. - It's unbelievable that in this day and age FB doesn't encrypt the whole session given how trivial session-jacking is.
Re: (Score:3)
There are a lot of places other than FB which don't encrypt their traffic other than the initial username/password. Mainly because it is cheap to do so (plain http connections after authentication can be cached, no need to set up and tear down encrypted sockets, etc.)
However what was par for security even last year before widespread sidejacking tools like FireSheep became available is now considered a wide open security risk. Just like how companies have to firewall their networks with the expense involve
Re: (Score:2)
Executive summary (Score:5, Funny)
Facebook doesn't want anyone accessing their customers' personal information unless Facebook is being compensated.
Re: (Score:2, Insightful)
Good thing Tunesian doesn't have a Root CA! (Score:2)
At least, I guess they must not...unlike most every other government in the world... If they did, they could still pretend to be Facebook, even when facebook uses https!
Why not protect all users? (Score:2)
Why do you need a country-level solution? Why not a global solution, which implements ALL your country solutions at once?
Re: (Score:2)
Why do you need a country-level solution? Why not a global solution, which implements ALL your country solutions at once?
Because:
a) Tunisia is in the news for the first time since the Punic Wars, so its topical. That gives positive PR value.
b) Tunisia is a small country that doesn't have the number of users as, let's say, the US, and so forcing https down their throat is not going to be a big deal
c) If this fails, people will forget about it as soon as people forget about Tunisia again. (About 2-4 weeks from now)
and....
d) "Holy shit, look at what's going on in Tunisia! Hey, wouldn't it be funny if we had Tunisians as cust
HTTPS Everywhere (Score:5, Informative)
Once again, our friends at the EFF are ahead of the curve. Their HTTPS Everywhere extension, released a few months ago, probably would have beaten this attack by Tunisian security services, or at least made their jobs much harder.
Here's the extension: https://www.eff.org/https-everywhere [eff.org]
Work that donate button a little while you're there.
They turned on https for logins (Score:2)
The country's Internet service providers were running a malicious piece of code that was recording users' login information when they went to sites like Facebook. By January 5, it was clear that an entire country's worth of passwords were in the process of being stolen right in the midst of the greatest political upheaval in two decades. Sullivan and his team decided they needed a country-level solution — and fast.
Please tell me that they turned on https for logins by default. Because that is what they should have done.
I don't think that word... (Score:2)
... means what you think it does:
a revolution that could become a parable...
Bzzt. wrong
Facebook ... Security ... (Score:3)
Re: (Score:2)
FUCK ZUCKERBERG!
You have logged in from Tunisia. Thank you for using Facebook.
Re: (Score:2)
The WTF was that they weren't using https in the first place.
Re: (Score:2)
The wtf is that they only switched to http login for tunisian users. Everyone else still gets good old fashioned unencrypted http.
Re: (Score:2)
The only way that can be made to work is for all of us to control the hardware and software we use, and for each of us to have a private key which we share with selected people. Systems which rely on dynamic key negotiation can be broken by routers. Systems which rely on globally available certificates can be broken by the authorities which operate the certs.